Suppose I have a git repo with app.py and I accidentally include an API key (or other secret) as plaintext in app.py in a commit that I have not yet pushed to a remote (lets say on Github).
To undo and fix this commit locally, I could:
git reset --soft HEAD~1
# ...make changes to remove the plain-text API key from app.py
git add .
git commit -m "some message"
Locally, I could still checkout to the ref where I accidentally committed the plaintext API Key and view the secret in app.py:
git reflog
# look for ref where I accidentally committed API Key
git checkout <ref from above>
If I push the commit that removes the plaintext API key (ie. commit with message "some message from above) to a remote, is there any way that the remote would still be able to 'see' the ref where the API Key was included in plaintext? Could this secret potentially end up on Github (even if just on their servers, not necessarily visible through the website/public APIs)?
Thanks very much in advance!
Use
git gc.But if you push to remote repo - they will disappear over time.
More information there How to delete already removed commit from detached head?